I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so. When I get to the merge step, the API results include a lot items for my other DGs/Templates. I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).
Is this something of concern? Are there certain things to be on the lookout for?
Sorry, what I meant is that since I first started this Project iteration, Panorama has been updated. Apparently, I missed a step in updating Expedition for the changes. I did the Devices | Contents | Retrieve Contents but I seem to recall that I might need to do something else in the Project itself like re-import Panorama.
The old configs will always there unless you create a new project. You could unset the base config and set the new one to be base config on the right side but whatever you worked on in the old config won’t show up in the new base config .
. Please see attached screenshot, go to right side base config panel , expand the base config , you will see the current base config you are using , and click on "Unset base config " on the bottom , the config will then move back to left side . you should now see at least two panorama configs on the left side , one is the newer one you want to set as base config , then select that newer version of config and click the blue button "Set base config" , now you should see the base config changed to the latest version. But whatever you worked on before against the old base config will be gone.
Oops, should have refreshed before replying.
makes sense although i already did it. Object-wise, there isn't much to worry about in our Panorama configuration - just a duplicate address group.
So if I did need to keep an edited XML, would I first merge the newer XML and then merge the ASA config?
Duplicate address group can be fixed in Expedition, you can go to Dashboard -> address group-> duplicated , click on the red number , it will take you to the address group object panel , you can then select the pair of duplicated address group right click , select merge to merge them.
It is not good idea to merge two PAN-OS configs that's mostly are duplicated, I would suggest you create a new project , import your edited xml file into the project and add your panorama device to the project but don't import the panorama production config in the project. Click on generate API request , for example , if you want to merge the address objects and address group objects from the edited XML to your production Panorama , you can select only "address" objects and changed the API call function to "Set" as shown in screenshot , when you changed it from Edit to set , you will need to remove the first <address> and last </address> in the element filed , then click on send API calls to your production panorama. Please save a snapshot on your production panorama before you proceed any API calls from Expedition.
If all those are too complicated , you could also login to Panorama CLI , merge the objects using Load config partial command as shown in option 3 of the below link: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall...
Make sure you do a mode "merge". for example if you are merging the address objects , your command will look like below:
You will need to import your edit xml into Panorama first then issue above command , it will then merge specific Device group address object from your edit xml to the corresponding device group on production panorama. If it's shared address objects , you will change the xpath to /config/shared/address
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!